NSA purchase of Americans’ personal data from brokers is illegal, senator says

Sen. Ron Wyden on Thursday asserted that National Security Agency’s (NSA) purchase of Americans’ internet records from data brokers is illegal based on a recent Federal Trade Commission ruling.

The Oregon Democrat released documents showing senior defense officials acknowledging they buy commercial data, including internet metadata and information associated with phones located inside the U.S. The officials said they do not buy location data.

Wyden said the NSA has fought the public release of the information for three years, and the agency only agreed to it after he placed a hold on the nomination of incoming NSA director, Lt. General Timothy Haugh.

In releasing the documents, Wyden again demanded the Biden administration prohibit intelligence agencies from buying personal data that has been procured from data brokers. He cited a recent Federal Trade Commission (FTC) order outlining that data brokers must get Americans’ informed consent before peddling certain data to U.S. military customers without consumers’ informed consent.

Although the FTC order only applies to geolocation data, Wyden said internet metadata is equally sensitive.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence (DNI) Avril Haines today. “To that end, I request that you adopt a policy that, going forward, IC (intelligence community) elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Wyden, a senior member of the Senate Intelligence Committee, has long worked to expose how the federal government warrantlessly purchases and searches private records. In 2021 he announced findings that the Defense Intelligence Agency was buying and using location data collected from Americans’ phones.

In his letter to Haines, Wyden said that until recently the data broker industry and the intelligence community’s pumping money to the “shady companies” has operated in a “legal gray area,” but he said the new FTC order asserting that Americans must be agree to their geolocation data being sold to “government contractors for national security purposes” makes clear that current practice is illegal.

The senator added that in seven years of investigating the industry he has not encountered a data broker company that obtains users’ informed consent before gathering their data.

Wyden requested the DNI direct intelligence agencies to comply with the FTC ruling by:

• Auditing the personal data the agency buys about Americans, including location and internet metadata. He noted that a January 2022 report on commercially available information by the DNI also recommended conducting inventories of IC purchases of commercially available information.

• Ascertain whether inventory data sources are legal based on the standard recently laid out by the FTC.

• Delete data when purchases do not meet the legal bar set by the FTC for personal data sales. If the IC needs to keep the data it must describe why it needs it and explain what the data shows to Congress and, if possible, the public.

Wyden released a series of documents from the NSA and Undersecretary of Defense Ronald Moultrie answering questions he posed about how the IC handles the data.

In a Dec. 19 letter to the senator, Moultrie acknowledged that the NSA buys “commercial data, which includes information associated with phones located inside and outside of the United States.”

“They use the data, or a portion of the data, as necessary, in accordance with applicable legal and regulatory authorities to conduct lawful intelligence or cybersecurity missions,” Moultrie wrote.

The letter noted that the response reflects activities for multiple defense agencies. Moultrie’s letter also cited a Dec. 11 letter current NSA Director Paul Nakasone sent the senator, saying the NSA “does not buy and use location data collected from phones known to be used in the United States either with or without a court order.”